Skillsign — ed25519 Skill Signing
WarnAudited by ClawScan on May 10, 2026.
Overview
The tool is coherent, but its verifier appears to trust unsigned signer metadata, so a forged or re-signed skill may be shown as coming from a trusted author.
Do not rely on this version as the sole basis for trusting or running skills until the verifier binds trust to the verified public key. If experimenting, use it only on selected skill folders, keep private keys secure, and manually compare trusted public-key fingerprints.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or untrusted skill could be signed with another key but display as [TRUSTED] by editing signer metadata, causing users or agents to trust code they should not.
The signature is over the manifest while .skillsig metadata is excluded from the manifest, then verification uses the signer.json fingerprint and signed_at fields for trust and revocation. The visible code does not recompute the fingerprint from the verified public key before calling is_trusted.
dirs[:] = [d for d in dirs if d != SKILLSIG_DIR] ... data = manifest_bytes(manifest); signature = private_key.sign(data) ... fp = signer["fingerprint"]; revoked, rev_info = is_revoked_at(fp, signer.get("signed_at", "")); trusted = is_trusted(fp)Recompute the fingerprint from the embedded public key, compare the actual public key to trusted keys, and sign a full envelope that includes signer metadata and any timestamp used for revocation decisions.
If used on the wrong path, it can read and record filenames and hashes for many local files in a manifest.
The tool hashes every file under the user-selected folder. This is expected for signing skill folders, but it is broad if pointed at a home directory or other private location.
for root, dirs, files in os.walk(folder): ... manifest[str(rel)] = hash_file(fpath)
Run it only on intended skill folders and review the generated .skillsig/manifest.json before sharing signed folders.
A future or environment-specific dependency version could affect behavior or security.
The skill depends on an external package with a version range rather than a pinned version. This is normal for a Python crypto tool, but it leaves dependency resolution to the install environment.
install_requires=["cryptography>=41.0.0"]
Install from a trusted package index and consider pinning and auditing the exact cryptography version in controlled environments.